Your organization has a choice regarding supplier resilience. You may assume that suppliers have sufficient plans and recovery procedures that will reduce the risk and impacts of disruptions to their operations. Or, you may choose to actively verify supplier resilience.
Either choice is valid so long as it is made overtly and after assessing the relative risks of each choice.
If your organization chooses to hold suppliers accountable for their resilience as a condition of the business relationship, there are policies, standards and processes to implement.
Supplier resilience standards should flow directly from your own resilience objectives. Your supplier compliance standards may need to be implemented in stages consistent with your own and suppliers’ BCM program maturity.
Your dependency analysis, part of your annual business continuity program review, should identify your critical suppliers, all of which should be subject to the resilience compliance program.
When initiating a supplier resilience compliance program, convey the compliance policy to each supplier, secure their formal commitment and integrate compliance in the procurement and contracting process thereafter.
It would be wise to provide a non-disclosure agreement (NDA) because many suppliers may claim their business continuity information is proprietary.
To ensure clarity, provide suppliers with a business continuity plan template and your assessment criteria.
At a minimum, annual reviews of supplier compliance will include:
Conduct supplier resilience assessments using a standardized report card or dashboard that may be used as the basis for collaborating with the supplier to meet resilience requirements. The tool should present findings as briefly and graphically as possible, with specific recommendations. After meeting with the supplier to review results, agree on a deadline for completing corrective actions.
The objective for assessing supplier resilience is to reduce your risk and confirm the supplier will be there for you, or to identify gaps to close or mitigate. Take a collaborative approach to the process.
Ultimately, as your supplier compliance program matures, it will progress from an assessment of suppliers' BCM programs to also measure actual supplier resilience, integrating some of the organizational resilience measures used to assess your own organization. Eventually, compliance may include one or more or your critical suppliers actively participating in your recovery exercises.
The most serious risk to your organization isn’t malware, supply chain disruption, pandemic or any other event. Ironically, your biggest risk is your inability to adequately recover from multiple simultaneous disruptions. In the past few years, business and society have adapted to various ‘new normals’, and one of those is disruptions layered one on another and another.
The painful reality is that our power utilities aren’t as reliable as we want to believe, and their facilities are vulnerable to attack. It’s time for organizations to actively mitigate and plan for disruptions of electricity and natural gas.
After a disruption or emergency occurs, it’s tempting to suspend some routine protocols, procedures and standards to recover as quickly as possible. It is often prudent and effective to do so but recovery teams should be mindful that cutting the wrong corners can increase risk, worsen the situation and increase recovery time.